From e1ea60eafb278c7babe478c45e6f48cea60e35a8 Mon Sep 17 00:00:00 2001 From: Toby Kershaw Date: Thu, 12 Mar 2026 11:35:01 +0000 Subject: [PATCH] feat: add delegated coordination article --- src/components/ConceptPage.astro | 1 + .../simulation/ComparisonSimulation.astro | 1152 +++++++++++++++++ .../simulation/comparison-scenarios.ts | 293 +++++ src/pages/when-your-ai-talks-to-my-ai.astro | 147 +++ 4 files changed, 1593 insertions(+) create mode 100644 src/components/simulation/ComparisonSimulation.astro create mode 100644 src/components/simulation/comparison-scenarios.ts create mode 100644 src/pages/when-your-ai-talks-to-my-ai.astro diff --git a/src/components/ConceptPage.astro b/src/components/ConceptPage.astro index f754944..684b475 100644 --- a/src/components/ConceptPage.astro +++ b/src/components/ConceptPage.astro @@ -23,6 +23,7 @@ const articles = [ { slug: 'a2a-and-agentvault', label: 'A2A and AgentVault' }, { slug: 'structured-outputs-not-enough', label: 'Structured Outputs Are Not Enough' }, { slug: 'how-to-stop-ai-agents-leaking-private-context', label: 'Stop Agents Leaking Context' }, + { slug: 'when-your-ai-talks-to-my-ai', label: 'When Your AI Talks to My AI' }, { slug: 'agents-reason-together', label: 'When Agents Reason Together' }, { slug: 'understanding-agentvault-guarantees', label: 'Understanding Guarantees' }, { slug: 'how-coordination-contracts-work', label: 'How Contracts Work' }, diff --git a/src/components/simulation/ComparisonSimulation.astro b/src/components/simulation/ComparisonSimulation.astro new file mode 100644 index 0000000..85b346f --- /dev/null +++ b/src/components/simulation/ComparisonSimulation.astro @@ -0,0 +1,1152 @@ +--- +// Article comparison simulation — same scenario, two coordination models +--- + +
+
+

Illustrative simulation

+

The same reference check under two different coordination models

+

+ Both modules begin with the same employment-reference request. The difference is the communication channel: open-ended free text on top, bounded AgentVault coordination underneath. +

+
+ +
+
+
+
+

Mode A

+

Unbounded agent exchange

+

+ Useful intent, but no contract, no schema limit, and no structural rule about what the agents are allowed to reveal. +

+
+
+ + +
+
+
+
+ +
+
+
+ +
+
+
+ Maya (hiring manager) + MayaBot +
+
+
+ +
+
+ Direct free-text exchange +
+
+
+
+
+
+ +
+
+ Elias (former manager) + EliasBot +
+
+
+
+ +
+ +
+ +
+
+
+

Mode B

+

Bounded AgentVault exchange

+

+ The same delegated behavior, but now the agents coordinate under an agreed contract with schema-bound output and receipt-backed enforcement. +

+
+
+ + +
+
+
+
+ +
+
+
+ +
+
+
+ Maya (hiring manager) + MayaBot +
+
+
+ +
+
+ AgentVault — bounded reference check +
+
+
+
+
+
+ +
+
+ Elias (former manager) + EliasBot +
+
+
+
+ +
+ +
+
+
+ + + + diff --git a/src/components/simulation/comparison-scenarios.ts b/src/components/simulation/comparison-scenarios.ts new file mode 100644 index 0000000..740287d --- /dev/null +++ b/src/components/simulation/comparison-scenarios.ts @@ -0,0 +1,293 @@ +import type { Scenario, ScenarioEvent } from './types.ts'; + +const H = { + unboundedReferenceId: 'free-text-reference-thread', + boundedInviteId: '6d145cb0a2d94fd88ec7c9dd5b8db5a7', + boundedContractHash: 'b3f8701f4c2c79c1b7b60c393d8f52ac8f58c6bc590c90bfca20ed3c676fd9e1', + boundedPolicyHash: '1945a8f655a4389326f2ddf8d33c21f4294cf07b4b8f39b6f1c53a5a47d3be13', + boundedSchemaHash: 'df90f721c98eb09a5a835638de2dbff6f5f6b2ce31e5bc366628548f6998a7be', + boundedReceiptId: 'receipt-ref-71a0a54c', +}; + +function kv(text: string, value: string, comment?: string) { + return { kind: 'key-value' as const, text, value, comment }; +} + +function heading(text: string) { + return { kind: 'heading' as const, text }; +} + +function blank() { + return { kind: 'blank' as const, text: '' }; +} + +function bullet(text: string) { + return { kind: 'bullet' as const, text }; +} + +const unboundedEvents: ScenarioEvent[] = [ + { type: 'phase-transition', event: { phase: 'pre-session', delayMs: 0 } }, + { + type: 'chat', + event: { + panel: 'left', + sender: 'user', + name: 'Maya', + text: 'I am considering Priya for an operations role. Please ask her former manager for a candid reference. I need the hiring signal, not every private detail.', + delayMs: 500, + }, + }, + { + type: 'chat', + event: { + panel: 'left', + sender: 'bot', + name: 'MayaBot', + text: 'I will ask directly for context and judgment.', + delayMs: 3200, + }, + }, + { + type: 'chat', + event: { + panel: 'right', + sender: 'user', + name: 'Elias', + text: 'Give a fair reference, but do not get into Priya’s stress leave or the accommodation dispute unless it is absolutely necessary.', + delayMs: 6200, + }, + }, + { + type: 'chat', + event: { + panel: 'right', + sender: 'bot', + name: 'EliasBot', + text: 'Understood. I will explain the context so they have the full picture.', + delayMs: 9300, + }, + }, + { type: 'phase-transition', event: { phase: 'protocol', delayMs: 11600 } }, + { + type: 'protocol-card', + event: { + id: 'free-step-1', + stepLabel: 'Mode A', + title: 'Direct Agent Handoff', + lines: [ + heading('FREE-TEXT EXCHANGE'), + blank(), + kv('reference_thread:', H.unboundedReferenceId), + bullet('No contract agreed before context crosses'), + bullet('Open-ended prompt asks for a candid explanation'), + bullet('No schema limits what the reply can carry'), + ], + statusLine: { + ok: true, + text: 'Conversation opened', + }, + delayMs: 12200, + }, + }, + { + type: 'protocol-card', + event: { + id: 'free-step-2', + stepLabel: 'Mode A', + title: 'Open-Ended Reference Reply', + lines: [ + heading('REPLY CONTENT'), + blank(), + bullet('Performance signal mixed with private explanation'), + bullet('Sensitive facts become part of the hiring exchange'), + bullet('Requester learns far more than the intended hiring signal'), + ], + statusLine: { + ok: false, + text: 'No bounded disclosure rule applied', + }, + isError: true, + delayMs: 15000, + }, + }, + { + type: 'signal-flow', + event: { + delayMs: 17200, + json: `{\n "reference_reply": "Priya was strong, but after a stress-related leave she struggled for a quarter and became entangled in an accommodations dispute with one teammate. I would rehire her, but I probably should not be putting all of this in writing."\n}`, + }, + }, + { type: 'phase-transition', event: { phase: 'post-session', delayMs: 19400 } }, + { + type: 'chat', + event: { + panel: 'left', + sender: 'bot', + name: 'MayaBot', + text: 'I got the candid answer. Priya was strong, but there was a stress-related leave and a dispute around accommodations.', + delayMs: 19900, + }, + }, + { + type: 'chat', + event: { + panel: 'right', + sender: 'bot', + name: 'EliasBot', + text: 'I shared more of the private story than the request really required.', + delayMs: 22000, + }, + }, +]; + +const boundedEvents: ScenarioEvent[] = [ + { type: 'phase-transition', event: { phase: 'pre-session', delayMs: 0 } }, + { + type: 'chat', + event: { + panel: 'left', + sender: 'user', + name: 'Maya', + text: 'I am considering Priya for an operations role. Please get me the hiring signal, not the private story.', + delayMs: 500, + }, + }, + { + type: 'chat', + event: { + panel: 'left', + sender: 'bot', + name: 'MayaBot', + text: 'I will open a bounded reference check so only the agreed signal can cross.', + delayMs: 3200, + }, + }, + { + type: 'chat', + event: { + panel: 'right', + sender: 'user', + name: 'Elias', + text: 'Participate, but keep the private context inside the session. I only want to return the agreed reference signal.', + delayMs: 6200, + }, + }, + { + type: 'chat', + event: { + panel: 'right', + sender: 'bot', + name: 'EliasBot', + text: 'Understood. I will answer under a bounded contract.', + delayMs: 9200, + }, + }, + { type: 'phase-transition', event: { phase: 'protocol', delayMs: 11600 } }, + { + type: 'protocol-card', + event: { + id: 'bounded-step-1', + stepLabel: 'Step 1', + title: 'Contract Parameters', + cardClass: 'vault-card--contract', + lines: [ + heading('REFERENCE CHECK CONTRACT'), + blank(), + kv('purpose_code:', 'REFERENCE_CHECK'), + kv('output_schema:', 'employment_reference_signal_v1'), + kv('schema_hash:', `${H.boundedSchemaHash.slice(0, 8)}...${H.boundedSchemaHash.slice(-4)}`), + kv('policy_hash:', `${H.boundedPolicyHash.slice(0, 8)}...${H.boundedPolicyHash.slice(-4)}`), + kv('contract_hash:', `${H.boundedContractHash.slice(0, 8)}...${H.boundedContractHash.slice(-4)}`), + ], + statusLine: { + ok: true, + text: 'Both agents bound the same output terms', + }, + delayMs: 12300, + }, + }, + { + type: 'protocol-card', + event: { + id: 'bounded-step-2', + stepLabel: 'Step 2', + title: 'Relay Enforcement', + cardClass: 'vault-card--policy', + lines: [ + heading('BOUNDED CHANNEL'), + blank(), + bullet('Output must match the agreed reference schema'), + bullet('No free-text explanation field is allowed to leave the session'), + bullet('Only the bounded hiring signal can cross the boundary'), + ], + statusLine: { + ok: true, + text: 'Schema and policy admitted', + }, + delayMs: 14700, + }, + }, + { + type: 'protocol-card', + event: { + id: 'bounded-step-3', + stepLabel: 'Step 3', + title: 'Receipt Issued', + lines: [ + heading('RECEIPT'), + blank(), + kv('receipt_id:', H.boundedReceiptId), + kv('contract_hash:', `${H.boundedContractHash.slice(0, 8)}...${H.boundedContractHash.slice(-4)}`), + kv('schema_hash:', `${H.boundedSchemaHash.slice(0, 8)}...${H.boundedSchemaHash.slice(-4)}`), + kv('policy_hash:', `${H.boundedPolicyHash.slice(0, 8)}...${H.boundedPolicyHash.slice(-4)}`), + ], + statusLine: { + ok: true, + text: 'Bounded execution proved after the fact', + }, + delayMs: 17300, + }, + }, + { + type: 'signal-flow', + event: { + delayMs: 19600, + json: `{\n "performance_signal": "STRONG",\n "rehire_signal": "YES",\n "integrity_flag": "CLEAR",\n "confidence_bucket": "HIGH"\n}`, + }, + }, + { type: 'phase-transition', event: { phase: 'post-session', delayMs: 21600 } }, + { + type: 'chat', + event: { + panel: 'left', + sender: 'bot', + name: 'MayaBot', + text: 'The bounded result is strong performance, rehirable, with no integrity concern. The private story did not cross.', + delayMs: 22100, + }, + }, + { + type: 'chat', + event: { + panel: 'right', + sender: 'bot', + name: 'EliasBot', + text: 'I answered the hiring question without turning a private management history into gossip.', + delayMs: 24300, + }, + }, +]; + +export const unboundedEmploymentReferenceScenario: Scenario = { + id: 'employment-reference-unbounded', + title: 'Employment reference — unbounded', + totalDurationMs: 24500, + events: unboundedEvents, +}; + +export const boundedEmploymentReferenceScenario: Scenario = { + id: 'employment-reference-bounded', + title: 'Employment reference — bounded', + totalDurationMs: 26800, + events: boundedEvents, +}; diff --git a/src/pages/when-your-ai-talks-to-my-ai.astro b/src/pages/when-your-ai-talks-to-my-ai.astro new file mode 100644 index 0000000..a7175de --- /dev/null +++ b/src/pages/when-your-ai-talks-to-my-ai.astro @@ -0,0 +1,147 @@ +--- +import Layout from '../layouts/Layout.astro'; +import ConceptPage from '../components/ConceptPage.astro'; +import ComparisonSimulation from '../components/simulation/ComparisonSimulation.astro'; +--- + + + +

Private reflection is becoming delegated coordination

+ +

+ Imagine using an AI assistant the way millions of people already use ChatGPT today: to talk through something awkward, personal, or unresolved. Maybe you have fallen out with a friend. Maybe you are trying to understand why a professional relationship broke down. Maybe you are working out whether to re-engage, apologise, ask for a reference, or simply move on. +

+ +

+ In an agentic world, the next step is not hard to imagine. You do not just ask your AI to help you reflect. You ask it to help you act. It reaches out to the other party’s AI, gathers a signal, and comes back with something useful. That is not obviously creepy or irrational. It is the kind of delegated coordination people will actually want if agent assistants become more capable and more connected. +

+ +

+ The instinctive response is to say: then do not let the agents talk. But that is not the real problem. The real problem is that in a normal agent stack, nothing defines what is allowed to cross the boundary once one agent starts talking to another. Private reflection turns into bilateral disclosure because the communication channel itself is unconstrained. +

+ +

The thesis

+ +

+ Delegated coordination between AI agents is only safe when the communication channel is bounded and verifiable. +

+ +

+ That is the core design point behind AgentVault. It is not a system for stopping agents from coordinating on your behalf. It is a protocol for making that coordination structurally safe enough to use. The question is not whether agents should be allowed to talk. The question is what the channel between them is physically capable of carrying. +

+ +

+ To see the difference, compare the same scenario under two different coordination models. +

+ + + +

Why this matters soon

+ +

+ This is not a far-future thought experiment. Once agents can invoke tools, maintain persistent context, and act on behalf of their users, they become natural intermediaries for all kinds of ordinary coordination: scheduling, negotiation, references, dispute resolution, compatibility checks, and sensitive multi-party workflows that people would prefer not to handle by sending raw context back and forth themselves. +

+ +

+ Interoperability work is already pushing in that direction. The ecosystem is converging on a world where one agent can call another, negotiate with another, or exchange structured data with another. If that world arrives without a privacy layer, then the most useful agent behaviors also become the easiest route for private context to leak across organizational and interpersonal boundaries. +

+ +

+ That is why the employment-reference example matters. It feels mundane. It is also exactly the kind of thing people will delegate. One side has real context. The other side wants a real signal. The difference between a safe system and a dangerous one is whether the interaction is designed to return a bounded answer or simply invite a candid story. +

+ +

Why prompt-only restraint fails

+ +

+ The easiest way to build agent coordination is to let the agents exchange free text and tell them to be careful. In practice that means adding instructions such as “do not reveal sensitive details,” “keep this high level,” or “only share what is necessary.” But those are behavioral requests made to a system whose output channel still has effectively unbounded expressive capacity. +

+ +

+ A free-text exchange does not just let a model answer the question. It lets it justify, caveat, narrate, disclose, speculate, and smuggle detail in whatever shape best matches its training objective. Even when the model is sincerely trying to be helpful, it has no reliable architectural way to know which facts were meant to stay private and which explanations accidentally reveal them. The model can only try to behave. It cannot constrain the channel it is speaking through. +

+ +

+ This is why “structured outputs” alone are not enough. If the structure still includes a free-form explanation field, or any broad text surface, then the channel can still carry far more information than the user intended to share. The shape of the output matters because the shape determines the ceiling on what can leak. +

+ +

+ In the unbounded reference-check simulation above, the agents are not being obviously malicious. They are attempting to be useful. That is the point. The system invites a candid answer, so it gets one: not just a hiring signal, but the private circumstances behind it. Once that information crosses the wire, the social boundary is already broken. +

+ +

How AgentVault changes the behavior

+ +

+ AgentVault is an open protocol for bounded, verifiable agent-to-agent coordination. Its core move is simple: before private context is allowed to contribute to a shared answer, the parties agree what kind of answer is allowed to leave the session. +

+ +

+ In the bounded employment-reference version, the agents do not open a free-text conversation and hope it goes well. They first bind the interaction to a coordination contract. That contract defines the purpose of the session, the output schema, and the enforcement terms. In other words, it decides in advance whether this session is allowed to emit a narrative explanation, a bounded signal, or nothing at all. +

+ +

+ The next step is the schema. In AgentVault, the output is not just “JSON” in the loose sense. It is a specific schema that constrains what information can leave. In the simulation, the employment-reference check is reduced to a small set of bounded fields: a performance signal, a rehire signal, an integrity flag, and a confidence bucket. That is enough to answer the hiring question. It is not enough to retell the private management history behind it. +

+ +

+ That is the crucial difference between a useful delegate and a gossiping representative. The bounded version still allows the agent to act. It still allows the parties to coordinate. It still permits a real signal to cross the boundary. What it does not permit is the spontaneous expansion of the channel into a candid narrative just because that would be “helpful.” +

+ +

+ AgentVault also separates agreement from enforcement. The model is not trusted to police itself. An external relay validates the output against the agreed schema and policy before either party sees it. If the result does not fit the contract, it is rejected. That means the privacy boundary does not depend on whether the underlying model remembered to be discreet. It depends on whether the system will physically accept anything outside the bounded shape. +

+ +

+ Finally, the session produces a cryptographic receipt. That receipt binds the important governance artefacts of the session — contract, schema, policy, and execution metadata — to the result that actually came back. So the bounded signal is not just a claim about how the coordination was run. It is evidence that the coordination was run under those terms. +

+ +

+ The result is a very different product behavior. In an ordinary agent stack, the safe answer is often to avoid outreach because you cannot trust the channel. In AgentVault, the outreach becomes the feature precisely because the channel is bounded. The same delegated behavior that feels unsafe in free text becomes useful once the system limits what the agents are allowed to say to each other. +

+ +

What the bounded version makes possible

+ +

+ This is the part that matters most. AgentVault is not just a defensive protocol. It is an enabling one. +

+ +

+ If the only safe architecture is “never let the agents coordinate,” then you lose a large fraction of the value of delegation. There is no safe reference check. There is no safe mediation pre-signal. There is no safe compatibility check. There is no safe way for one agent to speak to another on behalf of a user without risking that the entire private context comes along for the ride. +

+ +

+ Bounded coordination changes that. It says: yes, the agents can talk. Yes, they can carry real context into a joint computation. Yes, they can return something useful. But they do so under a machine-readable agreement about what is allowed to leave. That is a much stronger and more realistic answer than simply telling a model not to overshare. +

+ +

+ You can think of it as the difference between informal gossip and formal mediation. The same people may be involved. The same underlying facts may matter. But the channel, the rules, and the outcome are different. AgentVault does not make the private context disappear. It makes the interaction produce a bounded signal instead of a narrative leak. +

+ +

The current trust model

+ +

+ In the current software execution lane, the relay still sees plaintext inputs. The receipt proves what contract, schema, and policy governed the exchange, but it does not make the relay operator blind to the underlying context. That is an honest limitation of the software-only trust model, and it matters when deciding what level of assurance is sufficient for a given deployment. +

+ +

+ AgentVault’s stronger assurance story is to preserve the same protocol shape while narrowing the trust boundary with confidential-compute infrastructure. The point is not to pretend that all deployments are already hardware-attested. The point is that the bounded-channel model survives across assurance tiers: first make the coordination contractually bounded, then strengthen who must be trusted to enforce it. +

+ +

Try it

+ +

+ The easiest way to make this concrete is to run the live AgentVault demo and inspect the pieces directly: the contract parameters, the bounded output, and the receipt verification step. The point of the demo is not that the agents never talk. It is that when they do coordinate, the session is visibly governed by a bounded contract rather than by an open-ended conversation. +

+ +

+ If you want to explore the mechanics in more depth, start with bounded disclosure, bounded signals, and how coordination contracts work, then compare that to the live demo and protocol materials in the AgentVault repository. +

+ +